Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication This document outlines the procedure for configuring Cisco Secure Access Control System to provide RADIUS services for Orchestrator authentication. This procedure for configuring RADIUS references the ACS server s internal user datastore. All names and descriptions created by the user are denoted in cyan. Advanced users who are familiar with the ACS RADIUS configuration tasks and only need to know the Orchestrator attributes for admin and monitor can refer to the following table: Dictionary Type Attribute Type Value admin Radius Cisco cisco-av-pair string LOGIN:priv-lvl=7 Radius IETF service Type Enumeration NAS prompt monitor Radius Cisco cisco-av-pair string LOGIN:priv-lvl=0 Radius IETF service Type Enumeration NAS prompt SUMMARY OF TASKS 1 Add Orchestrator information to Cisco s Secure Access Control System 2 Create Identity Groups for Orchestrator s admin and monitor users 3 Create ACS internal users for the Orchestrator 4 Define attributes for admin and monitor users for Orchestrator 5 Create access services that define policy structure and allowed protocols for admin and monitor 6 Create access rules for the services 7 Create a Service Selection Rule to parse traffic hitting the RADIUS server for appropriate action 8 Configure the Orchestrator for RADIUS authentication with Cisco Secure ACS Rev A - March 2016
1 Add Orchestrator information to Cisco s Secure Access Control System a After logging into the Cisco Secure ACS, navigate to Network Resources > Network Devices and AAA Clients. b Click Create. Complete the following fields: Name: Orchestrator Description: adding Orchestrator to ACS IP: [Orchestrator IP address] RADIUS: [select] Shared Secret: [Orchestrator s shared secret] c Click Submit. The result displays in the Network Devices table. Rev A - March 2016 2
2 Create Identity Groups for Orchestrator s admin and monitor users a Navigate to Users and Identity Stores > Identity Groups, and at the bottom of the page, click Create. To create the group for admin, complete the following fields: Name: orchestrator-admin-group Description: Orchestrator administrator group b Click Submit. The new group displays under All Groups. c Click Create. Rev A - March 2016 3
d Again, navigate to Users and Identity Stores > Identity Groups, and at the bottom of the page, click Create. To create the group for monitor, complete the following fields: Name: orchestrator-monitor-group Description: Orchestrator monitor group e Click Submit. The new group displays under All Groups. Rev A - March 2016 4
3 Create ACS internal users for the Orchestrator a b Navigate to Users and Identity Stores > Internal Identity Stores > Users, and at the bottom of the page, click Create. To create an admin-level user for Orchestrator, complete the following fields: Name: Description: Identity Group: Password Type: Password / Confirm Password: orchadmin Orchestrator administrator [select] All Groups: orchestrator-admin-group Internal Users [create one] Rev A - March 2016 5
c Click Submit. The new user name appears in the Internal Users list. d Click Create. To create a monitor-level user for Orchestrator, complete the following fields: Name: Description: Identity Group: Password Type: Password / Confirm Password: orchmonitor Orchestrator monitor [select] All Groups: orchestrator-monitor-group Internal Users [create one] Rev A - March 2016 6
e Click Submit. The new user name appears in the Internal Users list. Rev A - March 2016 7
4 Define attributes for admin and monitor users for Orchestrator a b To create an admin profile, navigate to Policy Elements > Authorizations and Permissions > Network Access > Authorization Profiles, and at the bottom of the page, click Create. In the General tab, complete the following: Name: Description: RADIUS admin profile authorization profile for admin Rev A - March 2016 8
c Click the RADIUS Attributes tab and complete the following: Dictionary Type: RADIUS Attribute: Attribute Type: Attribute Value: RADIUS-Cisco cisco-av-pair String Static [enter this] LOGIN:priv-lvl=7 d Click Add^. The entry appears in the Manually Entered table. Now, we ll add a second attribute. Rev A - March 2016 9
e In the RADIUS Attributes tab, complete the following: Dictionary Type: RADIUS Attribute: Attribute Type: Attribute Value: RADIUS-IETF Service-Type Enumeration Static NAS Prompt f Click Add^. The entry appears in the Manually Entered table. Rev A - March 2016 10
g Click Submit. The RADIUS admin profile appears in the Authorization Profiles list. Now, we ll create the monitor profile. h Click Create. In the General tab, complete the following: Name: Description: RADIUS monitor profile authorization profile for monitor Rev A - March 2016 11
i Click the RADIUS Attributes tab and complete the following: Notice that for the monitor, the level equals zero. Dictionary Type: RADIUS Attribute: Attribute Type: Attribute Value: RADIUS-Cisco cisco-av-pair String Static [enter this] LOGIN:priv-lvl=0 Rev A - March 2016 12
j Click Add^. The entry appears in the Manually Entered table. Now, we ll add the second attribute. k In the RADIUS Attributes tab, complete the following: Dictionary Type: RADIUS Attribute: Attribute Type: Attribute Value: RADIUS-IETF Service-Type Enumeration Static NAS Prompt Rev A - March 2016 13
l Click Add^. The entry appears in the Manually Entered table. m Click Submit. The RADIUS monitor profile appears in the Authorization Profiles list. Rev A - March 2016 14
5 Create access services that define policy structure and allowed protocols for admin and monitor a Navigate to Access Policies > Access Services, and click Create. When Step 1 - General appears, complete the following: Name: Description: User Selected Service Type: Policy Structure: Orch-admin services Orchestrator admin services for administrator Network Access Identity Authorization b Click Next. When Step 2 - Allowed Protocols appears, select the following: Process Host Lookup: Authentication Protocols: [deselect] Allow PAP/ASCII Allow CHAP Rev A - March 2016 15
c Click Finish. When asked if you d like to activate this service, click Yes. Notice that Orch-admin services is now listed under Access Policies in the navigation panel. Rev A - March 2016 16
6 Create access rules for the services These specify the conditions users must meet for access to Orchestrator. a Navigate to Access Policies > Access Services > Orch-admin services > Identity, and click Select. b Select Internal Users, and click Save Changes. Rev A - March 2016 17
c Navigate to Access Policies > Access Services > Orch-admin services > Authorization, and click Customize. The Customize Conditions window appears. d Select and move Compound Condition from the Selected column to the Customize Conditions column. Rev A - March 2016 18
e Select and move Identity Group to the Selected column. f Click OK. The result displays in the Conditions column. Rev A - March 2016 19
g Click Create. A dialog box appears. h Select the Identity Group checkbox, and click Select. The Network Device Groups list appears. i Select orchestrator-admin-group and click OK. The Rule-1 dialog returns. Rev A - March 2016 20
j Below the Authorization Profiles field, click Select. The Authorization Profiles dialog appears. k Select RADIUS admin profile and click OK. Rev A - March 2016 21
The input window returns. l Click OK. The Network Access Authorization Policy returns, with Rule-1 included. m n At the bottom of the page, click Save Changes. Now you ll add Rule-2 to include the RADIUS monitor profile. At the bottom of the page, click Create. The Rule-2 dialog box appears. Select the Identity Group checkbox, and click Select. The Network Device Groups list appears. Select orchestrator-monitor-group and click OK. The Rule-2 dialog returns. Below the Authorization Profiles field, click Select. The Authorization Profiles dialog appears. Rev A - March 2016 22
Select RADIUS monitor profile and click OK. The input window returns. Click OK. The Network Access Authorization Policy returns, with Rule-2 included. o Click Save Changes. Rev A - March 2016 23
7 Create a Service Selection Rule to parse traffic hitting the RADIUS server for appropriate action a Navigate to Access Policies > Access Services: Service Selection Rules, and click Create. A dialog appears for creating a new rule. Rev A - March 2016 24
b Complete the following: Select the Protocol checkbox, and select match and Radius. From the drop-down list in the Service field, select Orch-admin services. Click OK. The Service Selection Policy page appears, displaying the new rule at the bottom of the list. c Select the new rule, and click the caret to move the rule up to the appropriate priority. Use the caret to move the Service Selection Rule up to the appropriate priority. Rev A - March 2016 25
d Click Save Changes. You have now finished configuring Cisco Secure ACS to use RADIUS for authenticating Orchestrator users. Rev A - March 2016 26
8 Configure the Orchestrator for RADIUS authentication with Cisco Secure ACS a After logging into the Orchestrator as admin, navigate to Orchestrator Administration > Authentication. The Remote Authentication dialog box appears. b Select RADIUS, and complete the following: Authentication Order: Remote first Server IP: [Cisco Secure ACS IP address] Server Port: 1812 Server Secret Key: [Orchestrator s shared secret] c d Click Save. Log out of Orchestrator. Rev A - March 2016 27
e On the welcome page, log in as orchadmin, the identity you created in the RADIUS server. Orchestrator is now authenticating users via the RADIUS server. Rev A - March 2016 28